I have followed the instructions for “Deploying Duo Authentication for Windows Logon to clients using Active Directory”. The group policy created with these steps works great. Now what I am looking for is a way for this group policy to NOT run (and re-install Duo) every time the server or PC gets rebooted.
I’ve read up on a way to create environment variables in a GPO and then create a WMI filter to use those variables to check if Duo is installed or not. That way the GPO will only run if Duo is NOT installed. However, I’m not very familiar with WMI filters. Also, the only filter I can find is for .exe files and I can’t find any .exe files for Duo (only .dll files).
Does anyone in the community have any experience in getting Duo deployed via GPO and getting the GPO to only run ONCE (e.g. when Duo is not installed)?
GPO shouldn’t reinstall, unless the version of the GPO changes.
Apps installed via GPO get recorded here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\
Are you actually seeing reinstalls?
Thank you for your reply! No, I have not been seeing re-installs. Just trying to be proactive before I apply the GPO to all of the PCs and servers in our environment. You’re the third person to confirm that the GPO shouldn’t re-install the software (the other two were Duo support techs). So I’ve been trying to test the GPO I created to make sure it won’t re-install the software and I’ve run into an weird issue that has been escalated to Duo’s Windows engineering team. Maybe you’ve seen this related problem with Duo or other software you’ve installed via GPO:
In testing the GPO, I’ve manually (under the PC’s Apps and Features) uninstalled Duo and rebooted the PC so that Duo can be installed via GPO. What’s weird is that the GPO will add the app’s information into the registry, but the actually application won’t be installed onto the hard drive (no Duo Security folders in C:\Program Files or C:\ProgramData. I know the GPO works because it will install Duo on a PC or server that has never had Duo installed on it. I did a lot of internet searching (mostly coming up with Microsoft documentation and forums) on the problem of applications not being installed via GPO and I tried quite a few of their solutions. Mostly adjusting the installer GPO so that it waits until the PC has a network connection.
So, as I wait for support to update the ticket, I’m wondering if you or anyone else in the community has had experience with this strange issue.